ssl

Summary

Example object

{
  "cipher_filter": "",
  "protocols": [
    "TLSv1_0",
    "TLSv1_1",
    "TLSv1_2",
    "TLSv1_3"
  ],
  "cert_key_pairs": [
    {
      "certificate_path": "/etc/proxy/tls/sidecar/server.crt",
      "key_path": "/etc/proxy/tls/sidecar/server.key"
    }
  ],
  "trust_file": "/etc/proxy/tls/sidecar/ca.crt",
  "sni": null
}

Fields

cipher_filter

Envoy cipher suite. If specified, only the listed ciphers will be accepted. Only valid with TLSv1-TLSv1.2, but has no affect with TLSv1.3.

Examples include the values below, but full options should be found in the link above.

• [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]

• [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]

• ECDHE-ECDSA-AES128-SHA

• ECDHE-RSA-AES128-SHA

• AES128-GCM-SHA256

• AES128-SHA

• ECDHE-ECDSA-AES256-GCM-SHA384

• ECDHE-RSA-AES256-GCM-SHA384

• ECDHE-ECDSA-AES256-SHA

• ECDHE-RSA-AES256-SHA

• AES256-GCM-SHA384

• AES256-SHA

protocols

Array of SSL protocols to accept: "TLSv1_0", "TLSv1_1", "TLSv1_2", "TLSv1_3"

cert_key_pairs

Array of (cert, key) pairs to use when sending requests to the instances of the cluster. Each cert or key must point to files on disk.

trust_file

String representing the path on disk to the SSL trust file to use when sending requests to the instances of the cluster. If omitted, then no trust verification will be performed.

sni

String representing the intended target of the request. Used when the server is behind a load balancer that identifies hosts through SNI.